Written by: Crystal McFerran, CMO

It’s easy to see the value marketing provides when you work in marketing, but it can be a lot harder for others to see the true value of marketing. Marketing feeds into your sales process significantly by generating leads, growing brand awareness and nurturing industry awareness. One of the first steps to really see the return on investment (ROI) is to disconnect your marketing process from traditional, transactional sales. You need to make the intangible become tangible.

How you do this is highly contextual and variable, but it almost always helps to present the data, show the relationships you’ve grown, showcase how your marketing campaigns help sell and then help show how to recognize the intangible parts of what you’ve done throughout the process. What does a lead cost, and how was it fed by your marketing campaigns? By showing this to your company, you can prove your worth.

Seeing Data

The difference between understanding data and seeing data is the difference between dawn and dusk. Dawn marks the start of a new day with new potential, while dusk marks the end of the day, when you wrap up what you’re doing to prepare for the next. You can’t just see the data; you need to really take it in and absorb it.

Data makes up the raw ingredients in your recipe, but metrics are what you get after you cook everything. Raw data can be shaped in many ways, but metrics allow you to show just what the data truly means. There’s a hair’s distance between seeing data and it meaning something.

Seeing Relationships

If some random company remembers your birthday, do you remember that? When your birthday comes, will you think of a random company that didn’t reach out or the one company that actually did? The company that sends me a coupon has a much better chance of me thinking of it than the one that doesn’t. If you reach out, you have the chance of your customers thinking about you.

However, too much interaction can feel oppressive. My spam filter keeps getting smarter because some brands get lazier with their campaigns. Great — you know my birthday, and every day from my birthday to my half-birthday (which no one cares about), but all you’ve done is alienate me with your constant outreach. A relationship requires upkeep, but you can’t smother it to death.

Seeing Sales Shine

The sales process makes up your funnel, and your marketing campaign is the difference between the filter dealing with mud or water. One is easy to clear up; the other requires time and effort. What do you think your sales team’s time is worth? Marketing frees up your salespeople from dead ends and helps keep other parts of your workplace functioning with synergy instead of working against each other.

Your sales team truly shines when they’re handed leads that work with them rather than against them. Your marketing process should cut a lot of junk out of the sales funnel. What do the leads look like before and after you run your marketing campaign?

Seeing The Intangible

The problem with most of our modern marketing efforts is that they’re too intangible in many ways. Your boss doesn’t get that the extra lead came from Joan specifically because she needed a company to solve her issue and she thought of you because of a conference that she got your card from. She saw your number and thought of you, and now she’s directed her entire business toward your sales team. How much does that first domino in the chain weigh for you?

How much did that lead cost you? Can you quantify it easily, or is it something you need to sit down and think about? How many leads do you manage to pull in, and how much do you spend on your marketing? How much does your sales team spend? If you see the data and you really break it down, you can quickly figure out just what happens from your marketing campaigns.

Seeing The Process

What is your brand’s awareness worth? When James thinks of your field, does he think of you and your company? You can’t control what potential clients think, but you can control how they perceive you.

We work to make sure that when people think of scalable IT, they think of us. When they think of visionary, they think of our CEO. We think big from the ground up. The data means we can see exactly where we are and just where we want to go. We don’t just focus on the sales funnel; we focus on the people behind each sale. Sales can really shine when the whole process enables people to see each other on an equal level.

Seeing The Return On Investment

The difference between the pieces we started with and what we’ve created is the difference between six of one and half a dozen of the other. What about the subtlety between lilac and lavender? They’re both floral, but one is bright and alive in a way the other lacks. Make sure you’re brighter than your competitors.

The ROI you get from your marketing is going to depend on just how you approach the process and how you figure out your results. When you can actually differentiate the dawn from the dusk, you can see the implication of your efforts. Does it work for you, or does it just disappear?

What does each transaction get you? A lead is expensive, but what is it worth to you? Your marketing feeds, catalyzes and enables your sales team. Do you see value, or do you just hope for it? Once you can see the process, you have to comprehend it and help others make sense of it. Is marketing a black hole for you, or is it the process that separates you and your competition?

Meet Jerrod Ford, Videographer!

Jerrod Ford quickly became a tremendous asset to the entire team at The 20. Read below to find out more about Jerrod.

What do you do here at The 20?

I shoot, edit, and create video content. 

Describe The 20 in three words…

Collaborative. Interesting. Fun. 

As a kid, what did you want to be when you grew up? 

I’m sure I had quite a few ideas but it sticks out to me that I wanted to operate construction tractors and heavy machinery. 

What’s the most challenging thing about your job? 

Organizing terabytes of files. 

What do you consider your greatest achievement? 

Being able to provide for myself doing things I enjoy; however, I hope my greatest achievements still lie ahead of me. 

What do you think is the most important quality necessary for success? 

Consistency. 

What do you like most about The 20? 

The people. 

What do you like to do in your spare time? / What are your hobbies? 

I play drums, make music, and dabble with guitar and piano. I also enjoy mountain biking and running. 

Where are you going on your next vacation?

Not 100% sure but hopefully the beach! 

What’s your top life hack?

Taking care of your body takes care of your mind. 

Interested in working with Jerrod at The 20? We’re hiring! Check out our Careers page for more info.

Cyber insurance is simple in concept, but complicated (to put it lightly) for implementation. It’s a form of insurance which covers expenses related to a cybersecurity breach or similar. But, you’re also getting a cross of the pain points of insurance and cybersecurity. The points make sense when you abstract them a bit, but it’s understanding the what and the why that can be painful.

Business insurance contracts can be confusing and complicated for the exact rules and what pays out what, but cyber insurance can get even more complicated. It covers topics ranging from compliance, to encryption, MFA, security, backups, and outages. You get a little bit of everything on a level most businesses aren’t ready for. It’s not just a technical question, there are rules, and they don’t always make sense.

Compliance

Most businesses are familiar with PCI and HIPAA compliance, but there are even more standards you may or may not need to pay attention to. Which one does your cyber insurance solution use, prefer, or encourage? There are a lot of standards, but some are more pressing than others.

You also have to consider GDPR and CCPA compliance in some industries and economies. There are even more compliance solutions such as CMMC and similar popping up that are preferred. If these acronyms and letter jumbles aren’t ringing a bell, you may need to read up before applying for new insurance policies.

Cyber insurance providers are going to ask you how compliant you are. You might feel confident, but just how compliant are you actually? Are you actually compliant or do you just think you are? What level of third-party audits are you performing to make sure you’re doing what you need to? What compliance standards are you using and how close are you adhering to them? What are you auditing, what level are you auditing, and how often are you doing it?

Have you been certified for your compliance tasks? Who is the compliance officer for your business or client? What level of credentials do they have to make them able to fill this role? You may not need to answer all of these on the insurance form, but it’s best to have the answers available from a security and business liability standpoint.

Encryption

Is data wide open or is it encrypted? What about your backups? What level or type of encryption is in use? Cyber insurance companies are going to ask these questions, and dig much, much deeper.

Are you encrypting communications internally and externally? How about VPNs between sites and for remote workers? Or do you use an advanced SASE system instead?

Encryption is a fundamental part of security and one which will come up constantly with cyber insurance offerings. Some plans may not require it for some industries, but it’s always a good plan to have some level of encryption in your security stack. Data exfiltration isn’t just a liability from an insurance perspective; it’s a liability to a business.

At the very least, it’s near trivial to implement an encryption policy for individual devices including desktops, laptops, and phones. You can work to encrypt sensitive data in SQL and similar to protect sensitive applications. You need to also make sure backup solutions are encrypted where possible as well.

There isn’t a one size fits all approach to encryption. Some products you need for your industry may not work as expected with encryption on certain data. Other products may just not have encryption as an option. Cyber insurance providers are aware you may have your hands tied, but they need to know to properly assess liability.

Scope of Data

How much data are you managing? How many individual records are there and how are they classified? Do you have generic data on a million individuals or hugely in-depth, personal data on a smaller set? You don’t need to have exact numbers (necessarily), but you need to have a rough scope of what you’re working with.

The more data you have which is personally identifying, the more it can impact HIPAA, PCI, etc. compliance. How much data you have also impacts how likely you are to be a target. Personally Identifiable Information (PII) is worth a lot to certain groups. The right PII can be used to carry out social engineering attacks or even used to circumvent certain security systems (e.g. biometric data).

What type of data do you have and where are you storing it? Are you using cloud repositories such as Dropbox and OneDrive to store certain data or is it all local? The where is as important as the what, since an insecure onsite backup is less safe than a secured cloud system, but a private cloud (and properly secured) is the safest of the three.

Cyber insurance vendors want to know what kind of data you have and where it is. This determines how large your attack surface may be and what is potentially at stake for your business in the event of a breach.

Multi-Factor Authentication and Credentials

Do you apply Multi-Factor Authentication (MFA) across the site with everything possible? If not, is there a good reason (e.g. nothing of any real value) or is it due to a technical limitation of a service?

MFA solutions will help cut down on the value of a password substantially which increases the inherent security of a system. This leads to a harder time breaching a specific site or data repository. Some cyber insurance providers want MFA applied to virtually everything, others are a little more flexible with the right security setup. Either way, a lack of MFA on core infrastructure and important data sources is a serious security concern.

MFA blurs into protecting and limited access to privileged user accounts as well. Sometimes, you need a specific admin account while the person managing said service needs substantially less access to do their job. Are you using a single account or reducing the chance of being breached by having the admin account locked up somewhere?

Solutions like ITGlue (despite being a documentation product, it manages passwords as well) can help limit this access and provide a way to audit who has accessed a given resource. You get a system to account for who has what access and when they use it. This allows for better monitoring of credential usage and allows a gatekeeping process for privileged accounts.

Security

What AV solution are you using? Are you using a Next-Generation Antivirus (NGAV) solution, an Endpoint Detection and Response (EDR) system or similar across the business? What about next-generation firewalls like Palo Altos or similar which can work at layer 7? Are you using zero trust architecture?

Security may also include services or processes such as a SOC, NOC, SIEM, proactive monitoring, proactive auditing, etc. How aware are you of every change to every asset for your business and how do you make sure that everything is complying with your security policy? How often are you installing patches? What legacy software or solutions are in use? Are you using protective DNS services to prevent bottom-of-the-barrel attacks and similar? Do you have an isolation policy or the ability to easily isolate compromised assets?

Many cyber insurance vendors also dive into email and phishing. Are you using DKIM, SPF, and DMARC to help detect spoofed or otherwise questionable emails? Are you using advanced spam filters and similar to reduce the attack surface even further? There are far more questions any good MSP or security provider should be asking.

These questions are ones you should be asking yourself regularly anyway, but cyber insurance brings them to the forefront. Here at The 20, we try to have solutions to virtually all of these questions which fit the needs of secure industries without making work painful. Security requires a balancing act between absolute security and functionality. The right education and the right security solutions can keep your business running smoothly.

Backup

We touched on some parts of backups previously, but cyber insurance dives into this process deeply. The difference between a business with a good Disaster Recovery (DR) policy and one without getting ransomware is the difference between a bad day and bankruptcy. Are you backing up important infrastructure and data? Are you checking your backups and making sure that things are working as expected? Do you keep cold backups or an air-gapped solution to keep data safe? Are you encrypting your backups to prevent exfiltration or exposure in the event of a backup provider having a breach?

These are all best practices for backups at any level, and solutions like Unitrends and similar have made the process relatively easy. What backup provider are you using and how are you making sure it doesn’t become a liability? In the post-security world, it isn’t a matter of if but when you’re breached that makes all the difference. Downtime is extremely expensive.

Standard security policies need to be applied to backups as well. Are you making sure that there aren’t shared credentials or similar to prevent easy exfiltration? Do you use some kind of system to control access to credentials with correct privileges to prevent accidental access? Are you using MFA where possible to limit access to replication vaults or backup appliances where possible?

Uptime

How much uptime do you have? When is the last time your site went down and how long was it for? Why did you have downtime and what could you do differently? All of these are going to be lines of near-inquisition from a cyber insurance vendor.

You can tell them what you plan to do, but no plan survives an encounter with the enemy. What happened when you actually had to test your plan? Were you down for a few minutes or down for days? Are you making sure to shore up said issues or are there ticking time bombs at your business?

Security is meaningless if someone bypasses it or if the response doesn’t work. Post-security also means that prevention is only one half of the equation to a proper defense for your business. Do you have a track record of your assets going down or is your infrastructure resilient?

The more likely a business is to suffer negative downtime, the harder it is to justify insuring said business. You can have everything great in theory, but how has it been tested? Or has it?

Summary

The cyber insurance process is extremely complex, but all of the questions asked will make sense. They want to know what you do, how you do it, and how it’s worked out. Virtually every question on a cyber insurance application is one you should already have in your primary security and business plan for yourself or your client (even if the form isn’t the same).

Are you adhering to compliance standards which affect your industry? How do you know? Are you encrypting any and all data that makes sense? How much data are you working with and where is it? Do you use MFA where possible? What is your proactive and response security like and what all are you throwing at keeping your business safe? How good are your backups and are they actually functional? How much downtime have you had, what caused it, and how did you respond?

Asked this way, all of these questions boil down to a basic security plan. You just need to know every detail and every facet to ensure that your business is actually secure, and a way to put it in something that can be converted to financial details. Can you walk the walk or just talk the talk? Use a cyber insurance checklist (or ideally multiple checklists) as a roadmap for your own business success.

Contact us at The 20 to learn more about what we can do to make your business grow.

What is a SOC?

It’s good to be nervous about the recent explosion of cybercrime, but it’s even better to be prepared. If you’re a business owner, now is the time to invest in your organization’s security posture, but deciding how much to invest, and which tools, strategies, and solutions to invest in, can be difficult, confusing, and stressful. You want to be responsible and keep your business safe, but your budget is limited, which means you’ll have to make tough choices about where and how to spend it. This is especially true for small-to-medium sized business (SMB) owners, who can’t afford the same protective measures as corporate giants. This article is written with you in mind.

One security solution you might have heard about as an SMB owner is a security operations center (SOC — pronounced “sock”). The following discussion will help you answer two questions:

  1. What is a SOC?
  2. Should I establish a SOC for my SMB?

We can’t definitively answer the second question for you, as your business’s particular needs are just that — particular (i.e., unique to your situation). But we can provide general guidelines that will assist you in making an informed and responsible decision.

What is a SOC?

Defining a SOC

The term “SOC” is sometimes used to refer to a facility that houses a team of information security experts. But this definition is quickly becoming obsolete, as there are virtual SOCs which do not exist at a single location. A better definition equates a SOC with the cybersecurity personnel themselves, along with the processes and technology they employ to monitor and manage an organization’s security posture in real time (and generally on a 24/7 basis).

The overarching purpose of a SOC is to bolster an organization’s cybersecurity by identifying, mitigating, and preventing risks before they escalate into larger, business-disrupting problems. In our day and age, being proactive about cybersecurity — as opposed to reactive — is a must, and establishing a SOC means fully embracing the proactive philosophy.

Who is in a SOC?

The exact makeup of a SOC will vary, with larger SOCs containing more people and more specialized roles. But, generally speaking, a SOC team will include analysts, engineers, and managers.

Analysts’ primary responsibility is to detect potential security threats and assign them a level of urgency in order to trigger the appropriate response. Your SOC’s analysts are your first line of defense against malicious actors who want to penetrate your organization’s network.

A SOC’s engineers design, implement, and maintain the tools that constitute your organization’s security architecture. This means ensuring that your systems receive regular updates, as well as recommending any changes that seem necessary in light of the ever-evolving security landscape. Security engineers are also responsible for documenting security processes and protocols, which allows the rest of the SOC team to carry out their duties effectively and efficiently, as well as ensures that your organization remains compliant with relevant governmental and industry regulations.

Overseeing the entire SOC are security managers. A security manager’s duties are many, and include coordinating the activities of analysts and engineers, hiring/training new staff, working closely with management (e.g., the chief information security officer) to align security strategies with business goals, and spearheading responses to major security incidents.

Some SOCs will have personnel with highly specialized roles (e.g., compliance auditors and forensics investigators). Also, depending on the size of a SOC, a single person may take on multiple roles.

How does a SOC work?

Security Information and Event Management (SIEM)

A SOC protects your organization by proactively scanning your organization’s entire digital infrastructure — networks, databases, servers, endpoints, applications, websites, etc. — ideally on a 24/7/365 basis.

Most SOCs exhibit a “hub and spoke” architecture, where computer-generated log data from various systems in your organization is continuously collected and analyzed for anomalous (i.e., suspicious) activity. The amount of data we’re talking about here is vast, and the modern SOC employs a security information and event management (SIEM) system to corral all of this information and organize it in a way that makes it amenable to human analysis.

The power of SIEM software comes from its ability to sift through huge batches of data in mere seconds, and employ machine learning to define “normal” network activity. The latter is especially crucial for preventing “threat fatigue,” which arises when a SOC is overwhelmed by simply too many alerts, many of which are false alarms. With an effective SIEM solution, a SOC can rely on technology to weed out false positives, freeing up team members to focus on actual threats.

Incident Response

When a SOC does come across a legitimate threat, it’s all systems go. After the urgency of the threat is established, a sequence of responsive measures is initiated to shrink “breakout time” as much as possible (“breakout time” is the time it takes an intruder to move from the first compromised machine to other parts of your network). These measures can include isolating endpoints, deleting files, stopping harmful processes, and deploying backups to negate ransomware.

Prevention Techniques

In addition to detecting and responding to threats, a SOC is also tasked with preventing incidents from occurring in the first place. One way a SOC achieves this is by analyzing breaches and performing

“root-case analysis,” which allows security personnel to trace a cyberattack back to its source. Finding out where intruders were able to penetrate your network enables your SOC to shore up gaps in your security posture and prevent similar events from occurring in the future. A SOC can also prevent future attacks by proactively searching for weaknesses in your network and system. “Ethical hacking,” for example, involves members of your SOC attempting to breach your network to learn what will and won’t work when actual hackers make similar attempts.

Does Your Organization Need a SOC?

A SOC can do wonders for your organization’s security posture, which raises the question: why would any company choose not to have a SOC?

That one’s easy — a SOC is pricey! Paying the salaries of the personnel alone will set you back a good amount (security experts can command 6-figure salaries).

That said, times have changed, and the chances of experiencing a cyberattack have gone up exponentially in the past few years. The FBI’s Internet Crime Complaint Center received 791,790 cybercrime complaints in 2020, a 69% increase from 2019. These complaints caused more than $4.2 billion in losses. We live in dangerous times, and taking extra precautions to keep your business safe isn’t paranoid in the current climate — it’s sensible. Establishing a SOC for your business gives you something that’s hard to put a price tag on: peace of mind.

However, certain businesses need a SOC for more than peace of mind. If your company is in one of the following industries, a SOC isn’t just a good idea, but a necessity, as it will be vital to protecting highly sensitive client information and intellectual property:

  • Payment Card Industry
  • Healthcare
  • Manufacturing
  • Financial Services
  • Government Agencies
  • Education

To be clear, even if your business is not in one of the above industries, you should not automatically conclude that you don’t need a SOC. For instance, if you have ongoing security issues or if you’ve suffered a serious breach in the past, investing in a SOC might be a wise business decision. Another reason to seriously consider opting for a SOC is compliance. If you’re facing a bevvy of strict regulations, or if maintaining compliance is something your organization is struggling with, a SOC can help you put those issues to bed.

At the end of the day, deciding whether to set up a SOC is a complex cost-benefit analysis. Whatever decision you make for your business, it’s important to keep in mind the following: a SOC relies heavily on technology, but the strength of a SOC ultimately comes from people. Your organization’s security posture is something that needs to be actively maintained, as the threat landscape is in a state of continual flux. So, if you do opt for a SOC to keep your business protected, you want to focus on building a team of committed professionals who continually strive to keep abreast of trends in the cybersecurity world. Anything less isn’t worth the investment.

Meet Corey Staton, IT Support Desk Technician!

Corey Staton quickly became a tremendous asset to the entire team at The 20. Read below to find out more about Corey.

What do you do here at The 20?

 For the time being, I am a tier 1 support desk technician that services level 1 tickets with end users.

Describe The 20 in three words…

Like a family. 

As a kid, what did you want to be when you grew up? 

 I never had a particular job in mind growing up, just that I wanted to help everyone that I could. My main goal as a kid was to build an exo-suit style support system for the elderly/disabled to help with motor movements.

What’s the most challenging thing about your job? 

If I had to pick the “most challenging” aspect of my job, I’d have to say that it is just the nature of it being remote support and not involving any hands on support.

What do you consider your greatest achievement? 

I would have to say that my greatest achievement would have to be finding my wife in High School rather than having to search for her as an adult.

What do you think is the most important quality necessary for success? 

I believe that the most important quality that is needed for success in any field is going to be communication. Both the ability to speak up and relay a message effectively, while also being able to listen and understand what is being communicated to you are extremely crucial to anyone’s success at anything that they do.

What do you like most about The 20? 

As mentioned previously, The 20 feels so much like a family and there is genuine care from everyone I have interacted with here. I have had event after unfortunate event happen outside of work and have had nothing but support from those here at The 20 and it means so very much to me to have that kind of support from those who have nothing to do with said events.

What do you like to do in your spare time? / What are your hobbies? 

 I’m quite a social person but as my friends and I have gotten older and moved apart, the main way that we stay in communication and actually spend time together is in video games. In the event that we do get to spend time together physically we will camp, hike, party, and so many more less digital things.

Where are you going on your next vacation?

The next vacation that involves a trip somewhere will most likely just be to Galveston. I lived there and had many relatives that have since passed and have not been back since so I would like to see what all has changed.

What’s your top life hack?

Rice cookers. It’s one of those things that you really wish you had every time that you could use one but then you don’t think about it again until the next time you need it. They also make great wedding gifts if you need to get one.

Interested in working with Corey at The 20? We’re hiring! Check out our Careers page for more info.

What is an SLA?

A Service Level Agreement (SLA) is a written document that defines a set of services and the parameters for their delivery.

SLAs can exist between departments within a single organization. For instance, an IT provider might have an SLA that establishes the ‘services’ marketing owes sales each month (e.g., a certain number of qualified leads). However, an SLA most commonly refers to a written contract between a service provider and a client. Our focus here will be on SLAs that Managed Service Providers (MSPs) use with their clients.

If you’re an MSP, the purpose of your SLA is to define the type and scope of services you are committed to offering a client. In addition, your SLA should clearly establish the following items:

  • Desired/Expected Performance Levels (and attendant metrics)
  • Service Availability
  • Customer Responsibilities
  • Consequences of Breach

This list is not exhaustive, and we recommend that you look into working with legal counsel when crafting SLAs for your own organization. There are also a variety of templates available online. These can be helpful, but it’s important not to neglect the unique features of your business when drafting an SLA. After all, your SLA is the cornerstone of your documentation, in that it sets down a clear picture of what customers can expect from you. If your SLA is generic, misinterpretations — whether willful or not — can arise between you and your customers. If it’s unrealistic, you’re just setting your MSP up for failure.

So, when drafting an SLA, aim for two things: clarity and accuracy. You want to tell your customers exactly which services you’re providing, how you’ll be providing them, when you’ll be providing them, etc. Define your services clearly. But it’s just as important that the services you define are in fact your services — i.e., the services you know your MSP can deliver, not the ones you hope it can. It’s better to set modest goals in your SLA and then exceed them than it is to set ambitious ones and fall short.

Let’s take a closer look at SLAs. This article will help you understand what the standard components of an SLA are, what the purpose of each component is, and why your MSP needs a good SLA to operate at its best.

Standard Components of an SLA

Type and Scope of Services

What services can your client expect from your MSP? Your SLA needs to answer this question with total clarity. In fact, it can be a good idea to not only list and describe the services you’re offering, but also, certain exclusions. For instance, if you have reasonable grounds to believe that a particular client is expecting a service that your MSP is not willing to provide, establishing that the service in question is not your responsibility can help head off disputes further down the line. Of course, documentation should always be a supplement — and never a substitute — for verbal communication.

Defining your services in a precise fashion is a key part of managing client expectations; if you do not give your clients a clear idea of what they should expect, their expectations of your MSP can quickly outpace your capacities and become unmanageable.

Desired/Expected Performance Levels

Your SLA should define metrics for measuring service quality. Performance metrics in your SLA give your team performance levels to shoot for, and your clients clear standards by which to hold your MSP accountable. You can set up individual metrics for particular services, as well as more general metrics that reflect your MSP’s performance across multiple services and contexts. Your key performance indicators (KPIs) are core metrics that monitor the overall health of your business.

The metrics in your SLA should establish baseline performance levels that you’re confident your MSP can reliably achieve. In other words, set the bar at a realistic height. It’s important that you share your metrics with your clients, either through an online portal or through some other means, to underscore the value of your services. You can hardly utilize your metrics to that end if they reveal consistent failures to meet your own standards of service delivery.

Although showcasing your metrics can be a powerful business tactic, be careful not to give your numbers too much weight. Remember, achieving KPIs is not synonymous with “providing excellent service” or “making your clients happy.” There are aspects of your service that your metrics don’t capture, and it’s entirely possible to provide service that honors your SLA and still comes up short in some other respect. Metrics are useful for assessing service quality, but they’re not the whole story. And, at the end of the day, there’s no substitute for talking to your clients directly and taking their feedback seriously.

Service Availability

Your clients need to know when they can expect to receive support from your MSP. Include your support hours in your SLA, along with any scheduled maintenance, holidays, and other interruptions to service. Most MSPs give uptime guarantees as a percentage. When defining your MSP’s availability, explain in unambiguous language how your support hours relate to your response times, which are themselves an important component of your MSP’s service availability.

Many MSPs use a tiered system for response time guarantees. Tiers represent levels of urgency, with more urgent tickets receiving faster response times. You can look at how other MSPs do things to get ideas, but at the end of the day, the response times you promise your clients need to be what your MSP is capable of achieving on a regular basis. It can be tempting to promise dazzlingly speedy response and resolution times to win a new client, but if you don’t think your desk can reliably respond to critical

issues within 4 hours, don’t make that promise — even if it means losing a potential client. Remember: a dissatisfied and disappointed customer does more harm to your MSP business than failing to close a prospect.

Customer Responsibilities

Your SLA should clarify not only what your MSP owes clients, but what clients owe your MSP. What are their responsibilities? When they have a problem, how should they go about reporting it to you? Be specific. Should they call or email? Does it depend on the severity of their issue? What about your clients’ IT environments — do they need to be up to date in certain respects?

There’s room for negotiation when it comes to finalizing an SLA with a particular client, but make sure to arrive at clear expectations that will allow both parties to benefit from accountability.

Consequences of Breach

Your MSP should of course strive to meet — or exceed — the standards set down in your SLA, but things happen. Even the best MSPs can deviate from their contracts from time to time. What’s important is that you have a system in place for compensating clients in the event of a service failure. A popular approach among MSPs is to provide clients with service credits. But whatever method you adopt, it’s vital that you explain in your SLA exactly how your system of remediation works. If you wish to give out service credits as compensation for service failures, spell out how the service credits will be calculated and distributed. Pick a system that’s fair and stick to it.

Also worth including in your SLA is a “force majeure” clause. The purpose of such a clause is to suspend standard obligations and penalties in times of extraordinary circumstances, such as a natural disaster or an act of terrorism.

The Importance of SLAs to Your MSP

As an MSP, your business depends crucially on recurring revenue generated by long-term clients. In short, you need to build strong, lasting relationships with the people to whom you are providing IT services. A good SLA sets a tone of trust and accountability, establishes your commitment to professionalism, and emphasizes the centrality of transparency and clear communication to how your MSP functions. All of these things provide a solid foundation on which to build healthy and fruitful business partnerships with clients.

Having an SLA and honoring it consistently can go a long way toward preventing unpleasant disputes with your clients, but when tensions do arise, your SLA can serve as a critical de-escalation tool. When your commitments and agreements with clients are written down in clear, unambiguous language, you have something objective and concrete you can point to when emotions are running high. You don’t want to ‘weaponize’ your SLA and use it to disregard your clients’ experiences, but in times of conflict —especially conflict that reaches the level of a legal dispute — protecting your MSP is imperative, and your SLA can help shield you from costly and time-consuming battles with dissatisfied clients.

Finally, a word on how to approach writing SLAs for your MSP. Firstly, focus on getting your “Master SLA” ironed out. This will serve as the template from which you construct specific SLAs for individual

clients. A good Master SLA will include the nuts and bolts of your business, and will be easy to alter to fit the unique needs of different clients.

When writing SLAs for different clients, keep their unique needs in mind, as well as the condition of their IT infrastructures. Again, “under-promise and over-deliver” should be your guiding principle when drafting specific components of an SLA.

You also want to make sure you train your staff thoroughly on the protocols and procedures contained in your SLA. When everyone on your team knows what your SLA lays out, you can all sing from the same sheet of music and operate more efficiently and cohesively to secure client satisfaction and build your brand.

Concluding Thoughts

A mature MSP needs robust documentation, which starts with an effective SLA. Your SLA contains all of the important information about your service delivery, and plays a key role in setting and managing client expectations. When you take the time to craft a detailed and comprehensive SLA, you end up saving many hours — and headaches — in the long run. However, even the best SLA can’t prevent client dissatisfaction altogether, which makes it all the more vital that your SLA defines your services with the utmost clarity. In the unfortunate event of a legal dispute with a client, you want an SLA without unnecessary vagueness, because the more ‘wiggle room’ there is, the more an angry client (and their lawyers) can leverage your SLA against you.

Here at The 20, we work with the law firm Ciardi Ciardi & Astin to ensure that our MSP members’ SLAs pass muster, even under aggressive scrutiny. We recommend thinking seriously about consulting with legal counsel to help you draft your SLAs, or to shore up SLAs that you’ve already written. In our litigious age, you really can’t be too careful.

Drafting SLAs and other critical documents for your MSP can be intimidating. The 20 is a group of MSPs who work together to conquer the ‘business side’ of IT. With our guidance and the collective expertise of our community of IT pros, you can navigate the challenges of growing your business with confidence and a proven model for success. Get in touch with us today to learn how we can help.

Meet Robert of Eagle Secure Solutions!

 

Tell us a little about your MSP…

Eagle Secure Solutions was founded in 2005 in Lebanon, Pennsylvania. Our focus has been providing managed services to the small business and local government sectors. We currently hold PA COSTARS #3 Contract and the Master ITQ Contract, which allows us to directly sell products & services to the state of Pennsylvania. 

How long have you been a member of The 20?

Eagle Secure Solutions recently joined The 20 and the partnership has opened new doors for us that we wouldn’t have been able to compete with in the past.

Why did your MSP originally look to partner with The 20?

The 20 provided us a more efficient way to procure the necessary add-on products and services that would have costed more to provide internally. In addition to this, we partner with our 20 members to find strategic synergy between our MSP practices.

Tell us about the biggest change in your business since joining The 20.

We now offer so many new services that… it’s a matter of making the time to let the business world know what we can do!

What do you like most about being a member of The 20?

I feel like we are part of a community and we are all invested in each other’s well being.  Instead of seeing each other as  competition, we are strategic partners for our own company goals and directions.

What do you think is the most important quality necessary for success?

The most important quality for success is knowing when to say I need help.

What are your biggest business challenges?

My biggest business challenge is figuring out how to handle the level of growth that The 20 is helping me to achieve. 

What are your areas of focus for 2022?

The focus for 2022 is to continue focusing on local government and small businesses. 

What advice would you share with an MSP looking to scale their business?

Do not be afraid to partner with “competition” and challenge yourself to find partnerships with non-IT organizations; which can potentially provide synergy of your IT products and services.

What book are you currently reading?

I’m not currently reading any books other than those that I read to my first born child, Rebecca.  

 

Favorite blogs/podcasts

Business Radio on Sirius XM to keep my mind open on my 45 minute commute to work and home. 

 

 

Interested in becoming a member like Eagle Secure Solutions? Click here for more information!

B2B vs B2C and What it Means for Your MSP

There is no shortage of articles explaining the differences between B2B (business-to-business) and B2C (business-to-consumer) business models. A simple online search will make this clear. Most of these articles highlight the same basic contrasts:

  • The B2B sales cycle lasts longer/is costlier than that of B2C
  • B2B relies on long-term client relationships; B2C tends to involve single ‘one-and-done’ transactions
  • Compared to B2C businesses, B2B businesses target a smaller, niche prospective client base
  • B2B sales and marketing should appeal to reason; B2C sales and marketing should play to emotion
  • B2B involves engaging with multiple stakeholders and decision-makers within an organization; B2C involves selling to individuals

Instead of belaboring these points, we want to home in on one in particular, which is especially relevant to managed service providers (MSPs), namely, the idea that B2B sales and marketing tactics should appeal to clients’ reason instead of their emotions. There is some truth to this claim, but as we’ll see, it’s an oversimplification, which, taken the wrong way, could undermine or even derail your MSP’s efforts to attract, win, and hold onto clients.

Before we look at the idea that B2B sales and marketing should appeal to reason, let’s quickly review the basic definitions of B2B and B2C, and establish which type of model describes the commercial activities of MSPs.

B2B vs B2C: A Brief Overview

B2B is an acronym that wears its meaning on its sleeve: business-to-business is a type of sales process that involves businesses selling products/services to other businesses. B2C is equally straightforward: a business-to-consumer retail model is what it sounds like — businesses selling products/services directly to individual consumers.

An MSP is an example of a B2B business, as it offers outsourced IT support to businesses, not individual consumers. Thus, MSPs should implement sales and marketing strategies that align with the core principles of the B2B model. But what are these principles, and just how sound are they?

There isn’t space here to discuss the various aspects of B2B marketing. So, instead, we’ll be looking closely at one in particular: the idea that B2B sales and marketing should appeal to existing and prospective clients’ reason, in contrast to B2C sales and marketing efforts, which ought to play to emotion.

This is a common trope when it comes to discussions of B2B vs B2C best practices, but it’s not the golden nugget of truth it’s often held up to be. The following discussion aims to introduce some nuance into the idea that B2B marketing is all about reason, not emotion. The goal is to give your MSP a more balanced understanding of the topic at hand, so that you can sell and market your services more effectively than ‘the next MSP.’

The Standard View: B2B is ‘All Business’

The idea that B2B marketing should be ‘strictly business’ makes intuitive sense. After all, we are talking about business-to-business transactions here! But all kidding aside, the idea that B2B marketing should appeal to clients’ reason — i.e., their ability to think rationally and objectively — does mesh with certain realities. Let’s look at two such realities . . .

Higher Stakes

When you’re a business selling to another business, the stakes are usually higher than they would be if you were selling a product or service to an individual consumer. As an MSP, your primary objective is to demonstrate that your IT services will constitute a sound investment for your prospective client’s business. The organizations that you’re marketing and selling to want to know that hiring you will be a good business decision with a healthy ROI (return on investment).

This means you have to prop up your pitch with plenty of numbers and cold hard facts. Your pool of leads won’t choose your MSP because you have a nice smile or a firm handshake — though those things can help — but because you’re going to save them time, money, and resources.

So, when selling and marketing your MSP’s services and support model, you want to focus on establishing the strategic advantages that your potential clients can achieve by hiring you.

Longer and More Complex Sales Process

Another reason why B2B sales and marketing need to appeal to reason has to do with a key feature of the B2B sales process: as a business selling/marketing to other businesses, your path to converting a lead into a customer is longer, and requires engagement with multiple stakeholders and decision-makers within an organization.

Think about your MSP. Generally speaking, you’re not going to win a new client by convincing one person that your MSP is great; you’re going to have to win the respect and trust of various key decision-makers — executives, in-house IT staff, and so forth.

What does this have to do with the reason/emotion distinction?

A lot! Unlike B2C transactions, which can capitalize on individual consumers’ in-the-moment impulses and emotions, a successful B2B transaction usually requires that you secure a “yes” from multiple people, over an extended period of time. And such a thing is only possible if you convince your prospective clients that working with your MSP is actually a sensible idea — i.e., that it makes good business sense.

An Alternative Perspective: Emotions Matter Too!

Now that we’ve seen some reasons to think that your MSP, as a B2B operation, needs to appeal to potential clients’ “rational side” to win business, we can begin pushing back on this view with some considerations in favor of a more “emotional” approach.

Consideration #1: B2B and B2C are Both P2P!

With all of the business jargon, it’s easy to get lost in a sea of acronyms and forget one simple truth: whether you’re an MSP selling IT services to small-to-medium sized businesses (SMBs) or a scalper hawking tickets on the sidewalk, at the end of the day, it’s people selling to people. And people aren’t purely rational — no matter how hard we try! Our decisions are based largely on emotion.

So, if you’re an MSP, yes, you need to demonstrate your value to potential clients using facts and figures, but you can’t neglect the vital task of making the people you speak with feel comfortable, listened to, cared for, etc. The fact is, people will trust you more if you’re personable, friendly, and warm, and when a prospective client is on the fence about hiring your MSP, they are likely to fall back on instinct. You want that instinct to be that you’re a good person who genuinely cares about cultivating relationships with your clients.

Consideration #2: The Stakes are High!

Wait, didn’t we mention “higher stakes” as a reason your MSP needs to appeal to your potential clients’ rationality?

Yep! But the fact that stakes are typically higher in B2B transactions (compared to B2C transactions) is also a reason why you can’t neglect the emotional side of the equation. Choosing to work with an MSP is a big business decision that has the potential to go extremely well or extremely poorly for your prospective clients. The emotional intensity of such a decision is much, much greater than, say, that which accompanies purchasing a stick of gum.

For that reason, your MSP’s role — a role that you and your staff all have to take on — is to recognize your prospective clients’ anxieties, fears, and uncertainties, and then, do your best to alleviate those feelings. To do that, you have to connect on a human level. If you can truly listen to the business owners you engage with, instead of viewing them merely as a potential paycheck, it will help your MSP stand out in a crowded and competitive industry. In the same spirit, learn to accept a “no” without any resentment, because oftentimes a “no” is really a “not yet.” Never leave potential clients with a bad taste in their mouths after a pitch, because you want them to remember you fondly if their circumstances change and they decide that working with an MSP — or a different MSP — is a good idea after all.

Consideration #3: Not Everyone is Fluent in Techspeak

MSPs provide IT services to all manner of businesses, many of which aren’t a part of the IT world. Naturally, then, the decision-makers you or your sales team speak with won’t always be well-versed in the jargon that rolls so naturally of your tongue. It’s true that you want to establish technical expertise and an in-depth knowledge of your MSP’s offerings, as well as how those offerings tie into your prospective clients’ business objectives. But, at the same time, leaning too hard into “techspeak” can have the adverse effect of overwhelming, confusing, or even angering your leads. Be wary of falling into

the trap of trying to impress with fancy terminology, when a simple explanation would be more effective and powerful.

This consideration ties into the previous one. Many of the decision-makers you speak with are going to be feeling anxious about outsourcing their IT. Dumping a truckload of jargon on their heads is hardly going to help. You want to be professional and make it obvious that you know your stuff when it comes to IT, but your conversation with potential clients needs to be just that — a conversation! Don’t talk at leads; talk to them, and in terms they can easily understand.

This also applies to your marketing collateral. Make sure it’s not too heavy on jargon, and develop an overarching brand identity or story with universal, human appeal. If your only selling points are technical, you’re going to be in trouble. The MSP space is simply too crowded and competitive for your company to stand out without branding that resonates with fellow tech people and the technophobic alike.

Concluding Remarks

As a B2B enterprise, your MSP will win new clients by taking them through a long-term sales cycle, in which you answer their questions, provide them with plenty of information, and demonstrate your value in clear, quantitative terms. In short, you have to earn prospective clients’ trust by speaking to their rational side, because no one’s going to hire an MSP just because it ‘feels right’ or ‘seems like a good idea in the moment.’

That said, you have to do all of that with a human touch, making sure to cultivate a personal connection. If you try to ‘argue’ your way to new clients by presenting your MSP’s value in purely technical terms, you can easily lose precious leads by failing to tap into the most powerful motivator of all: emotion.

If you’re an MSP that struggles with sales and marketing, we encourage you to reach out to us. Here at The 20, we help MSPs conquer sales, marketing, and a host of other challenges that commonly hold MSPs back. Learn more about what we do, and how our revolutionary business model can take your business to the next level.

Four Cybersecurity Tips for a Safe and Secure 2022

We are in the last week of Cybersecurity Awareness Month, an observance started in 2004 by the National Cyber Security Alliance and the U.S. Department of Homeland Security.

Now in its 18th year, the annual awareness effort has grown into a powerful campaign that serves to energize and educate the general public, while giving institutions and enterprises the guidance and tools they need to keep their data safe, and their people protected. The theme for Cybersecurity Awareness Month 2021 is “Do Your Part. #BeCyberSmart.”

This is a powerful message, and one that is crucial at this juncture in history. The past decade — and the past several years especially — has seen an explosion in the prevalence, sophistication, and destructiveness of cyberattacks, with the Covid pandemic only exacerbating what was already a serious problem.

Things aren’t going to get any easier, either. In fact, experts predict that cybercrime costs will steadily rise over the next several years and exceed $10 billion by 2025. Fueled by success, emboldened by new technologies, and in some cases, backed by nation-states, cybercriminals are certainly gearing up for a busy year. Cybercrime isn’t going anywhere. But here’s the thing . . .

Neither are we. MSPs aren’t going anywhere, nor is their commitment to keeping their clients and their data safe. The IT industry as a whole isn’t going anywhere, and there are a lot of us, willing to fight the good fight and keep threat actors at bay. The United States isn’t going anywhere, nor is the global community in which America plays a vital role. This brings us back to the theme of Cybersecurity Awareness Month 2021, and why it’s so apt and timely.

We — individuals, institutions, businesses, communities, countries — can’t afford to treat cybercrime as a purely technological issue with no direct connection to daily life, or more simply, ‘not my problem.’ It is all of our jobs to keep cyberspace from being overrun with nefarious activity. If we all do our part and stay smart, we can win this fight. But we can’t hesitate or hedge our bets — it’s time to go all in!

The Role of MSPs

Managed service providers (MSPs) are in a unique position to lead the fight against cybercrime. By making cybersecurity a priority and an integral part of operations and internal culture, MSPs can inspire their client businesses to do the same. This will have ripple effects that strengthen our entire country’s security posture.

So, let’s get smart and do our part. Here are four cybersecurity tips for MSP Owners going into 2022.

Tip #1 – Adopt a Culture-First Mentality

When it comes to cybersecurity, there’s a temptation to immediately think about technical solutions: the right tools and software with which to protect your MSP business, and by extension, your clients’ businesses. But given that the overwhelming majority of data breaches involve a human element (i.e., human error), it makes sense to think about cybercrime as a human/social problem, calling for a cultural solution (i.e., a shift in thinking).

Establishing a culture of cybersecurity awareness might sound like a vague undertaking — something you agree with in theory, but which seems like it wouldn’t amount to much in practice. But this couldn’t be farther from the truth.

Building a robust cybersecurity culture at your MSP means taking very concrete measures: building employee cybersecurity training into your onboarding process, emphasizing cybersecurity in your marketing collateral, making sure your clients’ software and applications are being regularly updated, encouraging your technicians to report any potential security issues — even if the issue might be a false alarm. In short, adopting a culture-first mentality about cybersecurity means taking action on all fronts, so that your staff and your clients’ businesses can all get on the same page. A unified front is the end goal, because all it takes is one weak link for something bad to happen.

Tip #2 – Get Smart about P#ssw0rds!

Let’s talk about passwords. We all use them for both personal and professional platforms. They’re central to our lives. Our crucial data rests on their strength. And yet, bad passwords remain a rampant issue and an easy point of ingress for threat actors.

You might know good password hygiene, but do your clients? What about their end-users? A survey from 2019 found that nearly a quarter of Americans have used “Password,” “Qwerty,” “123456,” or something similarly obvious for a password. The bottom line is that people systematically underestimate how easy it is for hackers to guess weak passwords.

Your MSP can help clients shed this attitude for good, by not only conveying the dangers of weak passwords, but also, by offering solutions such as Password Managers, training, and educational content. One good idea is to provide a sequence of onboarding emails and include one devoted to password hygiene. After all, strengthening your clients’ cybersecurity posture is something to do immediately and proactively, not after disaster has already struck.

Tip #3 – Implement Multi-Factor Authentication

Multi-factor authentication (MFA) is a shining example of layered security in action. Instead of following the old cybersecurity methodology, and treating “the network” as a trusted space enclosed by a fixed perimeter, MFA employs a “zero trust” approach to cybersecurity by requiring that all users provide, in addition to their log-in credentials, a second piece of identity-verifying evidence before gaining access to an application or service.

When your organization is equipped with MFA, threat actors can’t infiltrate your systems simply by illicitly obtaining log-in credentials through phishing and other means. This raises the difficulty level for hackers exponentially, and although MFA doesn’t offer 100% protection for your MSP and its clients (no cybersecurity tool does!), it does greatly mitigate the risks of a social engineering attack.

Here at The 20, we believe strongly in MFA, because we understand that employee training can only go so far. At the end of the day, you want an additional layer of security to keep threat actors out. Our tool of choice for MFA is ID 20/20, an authentication solution that makes identity verification fast, easy, and secure. Learn how it works here!

Tip #4 – Come Together as a Community

This last one is less a tip and more a rallying cry. The cybercriminal of today is not an isolated actor, cooped up in a basement and carrying out attacks for personal reasons. On the contrary, today’s threat actors operate within highly sophisticated and politically motivated organizational structures. Hackers work in groups (e.g., DarkSide and REvil), and their coordinated attacks are strategic components of broader campaigns to undermine national infrastructure and social wellbeing.

Standing up to these opportunistic and highly organized criminals requires that we adopt an equally — no, a more robust and coordinated cyberdefense strategy. There is indeed strength in numbers, and if the last few years have taught us what hackers are capable of when they have institutional resources at their disposal, let the next few years be a lesson on how strong America’s businesses and people are — especially when we put our differences aside and commit to taking down a common foe.

Right now, we don’t need heroes to fend off cybercriminals; we need each other. Your MSP can set a tone of cooperation and collaboration by working closely with clients to enhance their security posture, and by providing the IT community at large with thought leadership and actionable content.

Working together to kick a** and help businesses sustain growth and profitability . . . Now that is an idea The 20 can get behind!

Meet Wynn of In-Touch Computer Services!

 

Tell us a little about your MSP…

50% of our business is in Georgia and 50% is in Florida.  I started In-Touch Computer Services in 1992 in Rome,Georgia. I’m now based out of Atlanta,  just inside the perimeter and my team is scattered mostly across North Georgia and North Florida.  We serve clients as far north as Manhattan in New York and as far south as Pompano Beach in Florida (nearly Miami).  Over the years we’ve done 3 acquisitions to grow our business.

How long have you been a member of The 20?

Early 2021

Why did your MSP originally look to partner with The 20?

We wanted to standardize our offering a little more and focus our technical team on the Tier 3-4 work.  

Tell us about the biggest change in your business since joining The 20.

We just finished moving all of our agents to The 20 at the end of September, so we haven’t really gotten settled in yet.  The biggest change has been learning all the new tools, BMS, VSA, etc.  We had been on Connectwise since 2005 and Continuum (Zenith) since 2006.

What do you like most about being a member of The 20?

We like the people the most, which is #1 in business.

What do you think is the most important quality necessary for success?

Find something you love to do that serves others, and do it.  If your goal is only to finish work and retire, your work will not amount to much.

What are your biggest business challenges?

As CEO, my biggest job is BALANCE.  It’s my job to make sure my team is happy and challenged, make sure my clients are happy and taken care of, and the investment in the business continues to make sense from a financial standpoint.  When that balance is off ,  I can feel it.

What are your areas of focus for 2022?

For 2021, it has been to get settled into The 20, learn the tools and streamline the operations.  So, for 2022 the focus will be to grow with a new level of efficiency and service.

What advice would you share with an MSP looking to scale their business?

Number 1: Learn to DELEGATE to others.  Others have strengths and preferences that you don’t have.  Allow them to use those strengths.  I’ve been very fortunate to have great people that have been with me for many years.  Early on, I realized that Marsha loves the tedious tasks that drive me crazy – for 26 years she’s been happy and I’ve been happy.  As we’ve grown, we’ve continued to find others whose strengths and preferences make us a better team.  Also, find ways to delegate to other businesses – like The 20.

Number 2: Have FAITH in your people.  If you feel you can’t trust someone, let them go.  You must be able to share a mutual trust so the BS of life doesn’t interfere with your ability to take care of each other and the customer.

What book are you currently reading?

Along with my Vistage business group, I’m reading Brene Brown’s book: Dare to Lead.  (I also read the Wall Street Journal every day to keep my perspective global and not just local).

 

Favorite blogs/podcasts

 Podcasts: Ted Talks Daily and 99% Invisible

 

 

Interested in becoming a member like In-Touch Computers? Click here for more information!